90f5d5aaf1aeb2c0d46451e2495ace667932b89427d8d5e47b1fc44a1aebafd5

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
Size

5.5MB
MD5

91cecf25f81024ac14405502901baf51
SHA1

9010679783767d17ffc8b48e1ee405ea534c4bed
SHA256

90f5d5aaf1aeb2c0d46451e2495ace667932b89427d8d5e47b1fc44a1aebafd5
SHA512

586a455cd3f738c5f291b3f0439534cf88b77b59d4ed2b1167626b4e87d9565f10ba4209202852295694c66caa1f9cd2897459ed4b68240d4ce4b2a9bd5bacfb
SSDEEP

49152:gEFbqzA/PvIGDFr9AtwA3PlpIgong0yTI+q47W1bn9tJEUxDG0BYYrLA50IHLGfn:uAI5pAdV9n9tbnR1VgBVmMC17DVqFJU

Score

7^/10

spyware stealer

Malware Config

Signatures

Executes dropped EXE 26 IoCs

Processes:

alg.exeDiagnosticsHub.StandardCollector.Service.exefxssvc.exeelevation_service.exeelevation_service.exemaintenanceservice.exemsdtc.exeOSE.EXEPerceptionSimulationService.exeperfhost.exelocator.exeSensorDataService.exesnmptrap.exespectrum.exessh-agent.exeTieringEngineService.exeAgentService.exevds.exevssvc.exewbengine.exeWmiApSrv.exeSearchIndexer.exechrmstp.exechrmstp.exechrmstp.exechrmstp.exe

pid	process
4572	alg.exe
1072	DiagnosticsHub.StandardCollector.Service.exe
1076	fxssvc.exe
5024	elevation_service.exe
2252	elevation_service.exe
624	maintenanceservice.exe
1916	msdtc.exe
1140	OSE.EXE
2384	PerceptionSimulationService.exe
2140	perfhost.exe
1996	locator.exe
3836	SensorDataService.exe
4576	snmptrap.exe
544	spectrum.exe
5080	ssh-agent.exe
3140	TieringEngineService.exe
216	AgentService.exe
4768	vds.exe
564	vssvc.exe
3104	wbengine.exe
3204	WmiApSrv.exe
1252	SearchIndexer.exe
6024	chrmstp.exe
6112	chrmstp.exe
5328	chrmstp.exe
5432	chrmstp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

Processes:

2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exemsdtc.exealg.exe

description	ioc	process
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\vssvc.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\System32\alg.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\System32\vds.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\wbengine.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\5771764ec3136770.bin	alg.exe

Drops file in Program Files directory 64 IoCs

Processes:

2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsimport.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{372EF552-D8CF-402C-B62E-CA3A4C643A96}\chrome_installer.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jconsole.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exemsdtc.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

spectrum.exeSensorDataService.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

TieringEngineService.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exefxssvc.exechrome.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000001bfe5db903aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b02646b903aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000857ad8b803aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000003b2827b903aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9907 = "MIDI Sequence"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000096f2afb803aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091b04fb903aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000712384b903aeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006462d9bf03aeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000ea2808b903aeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe

Modifies registry class 1 IoCs

Processes:

chrmstp.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ chrmstp.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

5016 chrome.exe
5016 chrome.exe
5016 chrome.exe
5016 chrome.exe
5820 chrome.exe
5820 chrome.exe
Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

656
656
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5016 chrome.exe
5016 chrome.exe
5016 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrmstp.exe

pid	process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5820	chrome.exe
5820	chrome.exe

pid	process
656
656

pid	process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exefxssvc.exeTieringEngineService.exeAgentService.exevssvc.exewbengine.exeSearchIndexer.exechrome.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	3352	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
Token: SeTakeOwnershipPrivilege	4216	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
Token: SeAuditPrivilege	1076	fxssvc.exe
Token: SeRestorePrivilege	3140	TieringEngineService.exe
Token: SeManageVolumePrivilege	3140	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	216	AgentService.exe
Token: SeBackupPrivilege	564	vssvc.exe
Token: SeRestorePrivilege	564	vssvc.exe
Token: SeAuditPrivilege	564	vssvc.exe
Token: SeBackupPrivilege	3104	wbengine.exe
Token: SeRestorePrivilege	3104	wbengine.exe
Token: SeSecurityPrivilege	3104	wbengine.exe
Token: 33	1252	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	1252	SearchIndexer.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe
Token: SeShutdownPrivilege	5016	chrome.exe
Token: SeCreatePagefilePrivilege	5016	chrome.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

chrome.exechrmstp.exe

pid process

5016 chrome.exe
5016 chrome.exe
5016 chrome.exe
5328 chrmstp.exe

pid	process
5016	chrome.exe
5016	chrome.exe
5016	chrome.exe
5328	chrmstp.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exechrome.exe

description	pid	process	target process
PID 3352 wrote to memory of 4216	3352	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
PID 3352 wrote to memory of 4216	3352	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
PID 3352 wrote to memory of 5016	3352	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe	chrome.exe
PID 3352 wrote to memory of 5016	3352	2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe	chrome.exe
PID 5016 wrote to memory of 3644	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3644	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 1044	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 4940	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 4940	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe
PID 5016 wrote to memory of 3452	5016	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352

C:\Users\Admin\AppData\Local\Temp\2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe
C:\Users\Admin\AppData\Local\Temp\2024-05-24_91cecf25f81024ac14405502901baf51_ryuk.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=113.0.5672.93 --initial-client-data=0x2c8,0x2cc,0x2d0,0x29c,0x2d4,0x140462458,0x140462468,0x140462478
2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa05d5ab58,0x7ffa05d5ab68,0x7ffa05d5ab78
3⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:2
3⤵
PID:1044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1904 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3044 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:1
3⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:1
3⤵
PID:5000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4204 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:1
3⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4392 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:5144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:5152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4744 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:5732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4472 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:5880

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
3⤵
- Executes dropped EXE
PID:6024

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x14044ae48,0x14044ae58,0x14044ae68
4⤵
- Executes dropped EXE
PID:6112

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5328

C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x28c,0x290,0x294,0x26c,0x298,0x14044ae48,0x14044ae58,0x14044ae68
5⤵
- Executes dropped EXE
PID:5432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:6056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:6780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:6788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:8
3⤵
PID:6880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1012 --field-trial-handle=1940,i,4564556742283231835,6277772655850342766,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5820

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4572

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:1072

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:1944

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2252

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:1916

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1140

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:2384

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:2140

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:1996

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3836

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:544

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5080

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4788

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4768

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:564

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3104

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:3204

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1252

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:5532

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
2⤵
- Modifies data under HKEY_USERS
PID:5664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
Filesize
2.1MB

MD5
c1767e5d8cf5360165b2d4802cbdf362

SHA1
83150b9e2fedfdb58e6f705b2f1dd418bb3780c0

SHA256
07adcd1fcbd260e38d3db62a481bca247ab7c1b651672699a2beb0be9ba39684

SHA512
74be419fa1bbdd3817b3088ec2381be2cc37531a452886ceef8768b731170fe5391a872287e4441a1756ca506284af361495f512a17654771faccbb3dbe1b3fd

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
Filesize
797KB

MD5
b50a14102716df0e19c91bcc2e7bd666

SHA1
773e4c8ba4c3ea9adf0f31f0a1af24c1bda44281

SHA256
b1f2f4b269721c7cfda1980c7c27b2f687b533f27af5af2c60c2dfaa77912b53

SHA512
ffe7adfe0e0e1e024f172212a94d662800b93ca5507f14a387e0cb7f082e1562077b65a3ce3f62c414755abc73430bef38901332a78298991997ce0f1c5013de

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
Filesize
805KB

MD5
cd1115d934edac7796fdb05476650aba

SHA1
f77e687687709938eaa77306ad29b752d3885890

SHA256
8d9fca4eab3576da0e439444491cbeab7fc37f2e820295a51b89cd64d93e8dda

SHA512
030605d4af29715c01bc1428a3b8b53be7c374311e91782d0cd27969a7cf606672c331c11f31432f371d4ed273db200e5dd05dcfdd8e2e0984450413ac7e879b

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\chrmstp.exe
Filesize
5.4MB

MD5
dd8948a37b2afad8d14de1b87c5fef07

SHA1
280fb5d5dea3b56f68eed1e04f92089e1340072f

SHA256
1306649b6ab7ab394f617a241693f9352ed0676361467a6b9d6bbaa49e75b20e

SHA512
9dc0b8466ef380968ec732a1b5022ae94a38f461f5127721e598ca972a8f6c0ca82f3449f351c66b68403ec0722ef1c8b213600c9a88bb8b8588ac427f7a2ceb

Download Submit
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
Filesize
2.2MB

MD5
635f0f71479882e97e859f4ccf2ca284

SHA1
b1e0f30065f40ed45adff229aebece4916b2ad49

SHA256
b9186c74bea128542902d4ba3a71bc001dacf3c321facf6bc2c2b20f68b596b3

SHA512
d1bc45bdd5d79e06002edf6fc79ae27a3f1529e31b51596a41745c567fd1302c532e12d7804f6bb195a3bab579976b9ad8a8c73311d771ed45b4c4ef3d3bb248

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\ddb8eefa-46f0-471f-9ec5-3159fd511afa.tmp
Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
Filesize
40B

MD5
757f9692a70d6d6f226ba652bbcffe53

SHA1
771e76fc92d2bf676b3c8e3459ab1a2a1257ff5b

SHA256
d0c09cff1833071e93cda9a4b8141a154dba5964db2c6d773ea98625860d13ad

SHA512
79580dd7eb264967e0f97d0676ba2fcf0c99943681cad40e657e8e246df1b956f6daeb4585c5913ca3a93fdfd768933730a9a97a9018efa33c829ab1dea7a150

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Google Profile.ico
Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
f8737e6fe7bf9dabb2666833046df90d

SHA1
0b0862992a1283bf3018baed9c708864582e64bf

SHA256
8384bd08c7763b106df1212bd47657651c7cf766fc9ec188f3fe973bddb55b84

SHA512
adba28ad2426337dabb81fbdd9650d98e3ba3ba8c3796080f18d4596646f0d277936a4584297841f8e2d7985ed56883cdd0c83bac142d392297b3c8f83bb1105

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
03d6cac21a3f8d0e7c3bdbf5b15d00e2

SHA1
7ff272632552e4f54c32a3579aef791708eaa697

SHA256
f509631632fd2625a3720fad1a72094d7ddd524723aaa60e1054d2d4379514e6

SHA512
f2039d5ad8dee291afcb091105eb688c7a45d0442f51114080923a255eb1c73856a40307d08c95418e885ada9c747b6c34938e55b8568bea10e2ba5435d2293a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
5KB

MD5
2c9cc69c239d9a34fb3f87c83a1107c2

SHA1
d044ae06baebef3b8d1fbf0d20dff5449c232208

SHA256
93eeb4b4d177f02036f79bc0f72460b41cc031b7c4dc532c43e0cd5f5bc563db

SHA512
123fa01fefd68fad52099808b6cc911b0d630559752731a9fed875b536fa4f6e02b907ea7a80fe9b3d273e2b792001d387f2d9405360aab547d5a02587774e79

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences~RFe579088.TMP
Filesize
2KB

MD5
6c38709f2b92b4197d45f6df3df81cb9

SHA1
92d1adb3512f085dba8c03ea68d926704ebbbda3

SHA256
d5bb9e1c53b6d6dd67dcfdf3963d7d8b0dd3094ce6a86851e8b8ab7d3d6f235a

SHA512
3cc01f22a75c283dd55a4fc9b02211776bc1246ae7787ffeee21a25d0ea8ddaafbb70cbe8d0976356fcff59c9be8e9c178c15264d2a44df3653bb1e03fe41bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c0eb0caa-965a-4eec-a709-9821433e0f78.tmp
Filesize
16KB

MD5
95b988c030f89ca41d663b4374011851

SHA1
e19aa19e1d8a1e02352ac52cca96439e0e063931

SHA256
b58b80d21b6c496a3e6ccbb7e8f1499cffc7b223e70e6a8d56ef5a4e2b28443f

SHA512
ec3122d9ddd827b5b2e6e577ee0ec9f2374d4738acd8436f9ac4220c0ce8754be40267d0cf0f10ffab13a34632c05cad6cadea6e92d660bf900abc9aba695f54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
3464a731101b603e1d9efe7d1ca4fc83

SHA1
67ea9781884c0698c8bd220d1a1a1df3c4e147f5

SHA256
1503e5c092d37a25e3a6645c03dac3252ff09993099be4cf6105feca6ce04701

SHA512
ebf7589e65c0f230bb5b96c64e248526c3ef4ac5e7c76cabe07f2221280ad4091d6e141d719ca9567da316af095a35e01dad3e3b3c068a257a8113a25df31d99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
2bcae9f0a188d67fe8ff9ef2f9f8833a

SHA1
3f22f8d79284bac91e7f2993980dd977c08c07dd

SHA256
e19bcc24eeb1ca3393071bdbb7374f8ebbc5977682595b7c9b23909a03291efc

SHA512
12ce436ec5694698f2a9e312ecd63b5a405f89e8dcfa4ed50ee6dcc629dfdeedf8b91e6592c1654edce4365134b91113823ff896c5721def5eecf60bb8f70c76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
df50e58a8a68116b6c9a0c42561c5d4f

SHA1
c94bb3d4367653cf7d07c4104f981740c77af57e

SHA256
f3cf38a43ec9a002978672db572fd3f27fb5381cf61307ebebb63e83f5e38cbf

SHA512
833c72ba36f794c5f05d570b3f9fdb2ab2c75521afdbc2f51ed3f7d815548daa35e021c72f30391514965ad79886f0171d26be5241e1ebb03d2833d0eea2f72d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
e2a14835460bdf9afc30f871bc582a81

SHA1
802d4779a9146d5f9124a9dec00c3696063c3b16

SHA256
c363c103594dff74c9b0b81392cc94654383b2f8acd364b9bbb009c122309569

SHA512
3a3194f15890b6fa0818c308175cc88a2e579a71a78bc534bb1e89fb99c46b338b66241bc9456622f747739a2a6b02ffb8551d5a081a2dcd381c65492d4a55e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
91KB

MD5
9a67b07979a5898022e95066e279a954

SHA1
45b1342d1e987eea3f0adc13fb1608bf4afa5e66

SHA256
aeec484a04aecb64bb04c2a5f91a7961208f4c22e08b5331dc22943604b3b90e

SHA512
3c79a2d900c8af94a26dc62ed8c84a0f175a675b641325d2de62c03ad4a8a76e3ea69d37f3e2a89229518b253da8509235d419e87dc31da11f9b49cba9915bcf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe580599.TMP
Filesize
88KB

MD5
a53a31bc5efddaba059893c7ef5ab9ec

SHA1
9fce2d068f0ae07e9c622b893732cd4c667c0125

SHA256
c6d2e577b370088c55d3727e8bc2b6d3697ca933656745d9014f45371683e482

SHA512
f06776e7b345cc489990e989d13360c6e902b8bfbba963818ac751f7255b2c266cfeb79980ac5f335b2771c7fc284eb5e67834100127ece3241a98d9bd5873f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
7KB

MD5
60ce332f19bea312a595434eb297d0de

SHA1
3f426bb1ade5634305845beb42c13b503884734d

SHA256
60fb8c36fbf639ad6b58a70cd64fdf9bc28295050044258b0fd2a8e6033a9ce0

SHA512
b384674dbe0ebb72cdfd0cb7a6b8e199766d42035ce0be9d8c90967f679dd13bdf45a8a988978728365c9f7a87757789aa18056e2e9195635763d7cdc694ff6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
Filesize
8KB

MD5
286669304d2028c4ef6bdfa0fd392fd9

SHA1
0c347e24baa873516415d0b292f92ab73df9164b

SHA256
c785aa28fd0c115a73e44b49dcc7824c98202807fb74bb1318df08340f7d9d1f

SHA512
6ce290bb4f84f5dde74430b660d7c14e166f71fcc6d1f4b7fcd0fcaff75fc0de85d050bf37a374ecd1c243e92c487933da1c9b82d781912c50647698f2130dc9

Download Submit
C:\Users\Admin\AppData\Roaming\5771764ec3136770.bin
Filesize
12KB

MD5
0df9eb1b5aa0d179f8a49bb0fab2c6cb

SHA1
defa38029eed00a199577235bab17fd21dede141

SHA256
9ef0539d14c7c152e15a8ea8684292f4791cf746a6b1898c7f633e726d504057

SHA512
023b82243b4f2f789da2738fa9debb992f6d32811b8d700e0bd9a0a109c0ba5183cc1b812afb886f13ad6ac500e38645d2082b4359e2cd0f66185169eb2e0c24

Download Submit
C:\Windows\SysWOW64\perfhost.exe
Filesize
588KB

MD5
0e5a66a71377a4e80a29dfb0380d4cf5

SHA1
e73740cc61bbded7479c6a12a5c26cc6a388bac1

SHA256
86d74b34a54acaced481727aa667791624ed568e44087dc0d8f481aa60a50f69

SHA512
296a02aef417f59fbc02933de979299f8ce9a9e141bc314872976508d3c12983068d47d5eee53817859e30ee8fa588d8a6cc82dfcd80b90386b0bb6c21f6afa0

Download Submit
C:\Windows\System32\AgentService.exe
Filesize
1.7MB

MD5
0f225388938e829a62aaec580038fd1e

SHA1
3d963d275fc58ee509e299e9165e3e86b7c4165f

SHA256
4a33734eb3d19abcc36030b0cadf7c23c056d38313ec800d5b7a5cea65bbf5dc

SHA512
bb8068cd9e0b1d6ab83a69870294c50d6276589affb1be8e34fe42d435fbfe2f2da07a7ff3a6361e32bb872be3e511c5935390e7be9be239cb1e57828c1620c5

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
Filesize
659KB

MD5
f8f4e6f382831174262b7480549fdb38

SHA1
3d172a3f088afdbdf2ebc8d37470e5b41f3b51ff

SHA256
9c99d4a5c5744da93f360e019946064cf383e05d5244b09fa953d600d8cd4efc

SHA512
3374d2f4511dcab38e2bf1391739e02cf87b4c3fb3bd09d3c2b2fef343c812c9ef2bf826850f2f1f545a9d471df6ea649080ba5fd30d62840463b5e6fb659e4c

Download Submit
C:\Windows\System32\FXSSVC.exe
Filesize
1.2MB

MD5
1bfa4c45b3d1d6efe80da228cc9bca39

SHA1
933232a3ae7bbcd713a719676080133afb262da8

SHA256
1fa7d8045b030bc3bde2d36ac5876c860e5ae9bfd5151a8f8da66e4b3728249d

SHA512
38c396e3620dd81753f84e7ee40ed70532f9a71863356a9f87576f8a6ce409c5751f7868e230ccfbcb877ff8044f1cd572247d0d69643758f403f5691d1fc569

Download Submit
C:\Windows\System32\Locator.exe
Filesize
578KB

MD5
064203c9972e819f5a21136bfb45e035

SHA1
cfcd656e3e707e1f2c74ca9bdd52d746ae7c94dc

SHA256
178c9b3065c2b352d1c39361fbc72c8b13f79d1ffc982b9951bd1c1c483694cc

SHA512
af6aa9a05eb5766d0534a2acc2ff728d6b0b78e0801a5c8cc6adfe5a2e375cc8c1fe6c7e8f133b450d613ec02ede782a9c8a16b79594f033eb1a0ca9bd3bfaef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe
Filesize
940KB

MD5
ddbbb012991ae2c8414e2196d0eaade3

SHA1
1d36cfd23959d6407fdf92bde73bb376e5a1e4cb

SHA256
e98b16f9cc2c86a64ad97e8b18c07b33742b1bd70dbf5f15fe91336ddad43ef2

SHA512
22c59f2ff1f5d89106a24bc09f1f4d0672f48f9461740bd4abd09b51463b93f7835baafa3e12bb48bcb40eca45840f95b3c0c47739fe4abe03a01b83f0485726

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe
Filesize
671KB

MD5
7fd6dcdbeb75b220aa9b7dc9292eb1a3

SHA1
9bdeefeb792dc913141150c6d0fe9fb2e23959f7

SHA256
247a4f829964c6c70f8bdd62d0c74c3343c0dccea15eee5017755f2ff3efd142

SHA512
e1c4ad2397345b86af20640b70b71e34344e264f9dd12cd4c5aced22ea60f2f20835605ff684fb15f9881ee350dbfe2af4888663e1723f665dcf68b3ddb21c74

Download Submit
C:\Windows\System32\SearchIndexer.exe
Filesize
1.4MB

MD5
d614f6a1aec2134af9c89bc7d782f4db

SHA1
502166ac708a9cccf00962f614f4db46c5d0582b

SHA256
e47e108459b776123dd1d8daaff49eebe9b96de0b14a40f8f29d5a78d87645eb

SHA512
905ac1f98a8c67814532d4d3bbe69bac8e97e4aebcb958f23234ec786e9ab247b46c05a051ebbe5ddbfb9b6402d24432f083e9274631e45f9864a2a50d332175

Download Submit
C:\Windows\System32\SensorDataService.exe
Filesize
1.8MB

MD5
da439c1fbd0b68d246069991c7dd13e7

SHA1
8b4525163026756673dc2cd0b396d96ba6d7f924

SHA256
843cbb9ef29bd79edc7d36e5711ad0cc0a1cbb2562735bd97b9520bdcc4c6f82

SHA512
f1a45e25d172a315458fea69d18f2abe2892b274d08be4e3a8e2eada4eb8ec17eb07c4fd1bb823acb13b489b3fe3bd172b47e3f00ba8ff71f04eca5a3f17f9ea

Download Submit
C:\Windows\System32\Spectrum.exe
Filesize
1.4MB

MD5
6c4f1b54e3d01204f619263968877746

SHA1
aa08f0f52ba3f9e23f5195f8f74501245ebbd084

SHA256
069490d64d16dda1c5ba5fa905789d853fd75160a269c162a1413648caac2036

SHA512
ab4f25c087c1b55451b0117b3f3dded68b9dfedbfe7b6cd7041a6d49ce67044d1d150f10fb2c78afe6c44bd326c3492a54202b33baa38b2d57b2c59de29ec160

Download Submit
C:\Windows\System32\TieringEngineService.exe
Filesize
885KB

MD5
2e7b1b0121edf968a4291435b81fa432

SHA1
de6621a197fa0611f316e2a101199e21266605a1

SHA256
ddba37f7711fde192a8e9ee8c4b8ec892d80fd40105d37e8c22367ee97372316

SHA512
f502494f3abcf64cc7e0b969f80d7108768d58d2cc7ca416d888c7ef01f94b37ab73cc76b0d2d4c56a95970eb2cb521feb8c2d58eff474057b753f20b741146c

Download Submit
C:\Windows\System32\VSSVC.exe
Filesize
2.0MB

MD5
d10a32826776bf406ea33c2451fb016c

SHA1
69dcc49e1eb41e4b89c37808b260e73de3039f65

SHA256
644ee54014f6de44f7208e8b26b38bb2e2f71b4283d6d0d4457e15623f112a89

SHA512
44add3b4ca7427729930a6b840fb185b279a17e27b70e0805f9f6d03902b9f762b14a3960010284e9d4d6ec3f44136e3eb83adb416c1aa8ebef114d882795a93

Download Submit
C:\Windows\System32\alg.exe
Filesize
661KB

MD5
cb5bddd6ac3a05b7dd155d66162a4091

SHA1
2e53e6eabef57fa803c35a503764451305f85628

SHA256
2b5ebadfde0b9ffba53b24c5458ac30992f8f8652dec1ae8c9f9ef2736f7dbc9

SHA512
af94f6a9d3b558c54228065eaa5b79e941e9c6f780566ae6177578c954ee477860151c42d7bc0d253c1e7488edc31842b6c60cfe55666373fdb1b3a8b126dffc

Download Submit
C:\Windows\System32\msdtc.exe
Filesize
712KB

MD5
2d23b8ea70f09d38c92659c1d576f937

SHA1
876e45925eb7ad7ecce19240335eaccc85601352

SHA256
c7110f0409d25b1fdc468239bba6e19fcc2d59b5365d3bb65041ab9d7999240d

SHA512
423029abee67ccf614398780cc7d969916ef78c8bd52cc5d278acd70c953bfb0e3185cd3a28add842531cd17cfecb524e50a50c38536bffb52b81ba5832bc57a

Download Submit
C:\Windows\System32\snmptrap.exe
Filesize
584KB

MD5
3625a1ea3fd970415cd632cdbd83e6d0

SHA1
24a89d63494076fa7a1d96aea5704f5e0ac38466

SHA256
c9a5f212c737b725eed9a90c1d075a15cd2e17d92eb61a800b086fe0cee24feb

SHA512
31f3cf123e0af3ec77794669bce13f9705da734b1ab2181c0c23deb5c66af7424be8fbbae90173c092b0e555d7ba48cec18755c58be325df67b82d833083bc8c

Download Submit
C:\Windows\System32\vds.exe
Filesize
1.3MB

MD5
0050f85122eed2987baa79efa611e827

SHA1
f21e44ed0a75d116f60caa027437c5596dea4fd2

SHA256
c312941d143b11081c0823ac4c1a014d3671583389243be1ef16e9d871e3dee8

SHA512
df9b2ccb4f07b2646254295c82765a746b43245461bb34c9c59df82f22a363ecbdfa6aaa8b5754bac2548a911d34fb13bcb934784b2a53888aa5e890322d332c

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe
Filesize
772KB

MD5
2071c0ed94981a0792bf8ff2566b099c

SHA1
07c1faaee8566a6d11d7c4ed8fafd4ca636dfa97

SHA256
f90b6946cfa7e36578afcdbc6a58b980e6eee1ff1785707e201b63e85af89ec3

SHA512
42a044c94024ed63c4dc13c39d30602ceddd491b9ce50d751b6cf816dca29a0eb8d380a26b5e9b18ce5c0838b89d8e045a8755d6f8008fd1494e3a9d1e9ad452

Download Submit
C:\Windows\System32\wbengine.exe
Filesize
2.1MB

MD5
b990d09bf7d0a958936c920b431fa4eb

SHA1
377e54b4fe3f9010532115fa9587aa29d840fcc4

SHA256
040effeaf2532cc4aa670ccb1a194abcb358475f7a56c52c420fb7fb571ed007

SHA512
d9122e09a151ac3c98045cca44145a6252f8a6188943b63378704a29916e9c5a94fa96796364d738cb947dcd9a35c2a38c08bde0df746cba83aecf634092cf2c

Download Submit
C:\Windows\TEMP\Crashpad\settings.dat
Filesize
40B

MD5
8323eb783d4b3475bc1107f7b22fe30a

SHA1
8b61ba2d4ceddcce64913e45b0b3aaedba641153

SHA256
b04e4a8229ad76f418899a184586a34f1da04653efdd8f0386b76fe7282bd7c4

SHA512
a6e5fa59549dd9f848741b7c5e0e99e3efd1ac639e61a1a430fe7a62e6f13bf625fc22d619b29e9319f0bddd46eda6bd61057d4afcde7c846a72bf6e4ef79972

Download Submit
memory/216-215-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/544-316-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/564-320-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/624-104-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/624-92-0x0000000001A70000-0x0000000001AD0000-memory.dmp

Filesize
384KB

Download
memory/1072-52-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1072-54-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/1072-46-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/1076-63-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1076-78-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1076-57-0x0000000000530000-0x0000000000590000-memory.dmp

Filesize
384KB

Download
memory/1076-80-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1076-75-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/1140-308-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1252-323-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1252-719-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/1916-307-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/1996-311-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2140-310-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/2252-82-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2252-306-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2252-88-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/2252-717-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/2384-309-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/3104-321-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3140-318-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/3204-322-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3204-718-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/3352-6-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3352-26-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3352-10-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/3352-0-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3352-24-0x00000000007E0000-0x0000000000840000-memory.dmp

Filesize
384KB

Download
memory/3836-314-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3836-603-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4216-552-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4216-20-0x0000000140000000-0x0000000140592000-memory.dmp

Filesize
5.6MB

Download
memory/4216-11-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/4216-17-0x0000000002000000-0x0000000002060000-memory.dmp

Filesize
384KB

Download
memory/4572-707-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4572-28-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4572-38-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4572-34-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4576-315-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4768-319-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/5024-76-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5024-73-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/5024-460-0x0000000140000000-0x000000014024B000-memory.dmp

Filesize
2.3MB

Download
memory/5080-317-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/5328-585-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5328-564-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5432-575-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/5432-775-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6024-528-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6024-596-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6112-770-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download
memory/6112-548-0x0000000140000000-0x000000014057B000-memory.dmp

Filesize
5.5MB

Download